翟晓川不会运球:CGI漏洞扫描软件Perl原代码

#! /usr/bin/perl
# ============================================================================
# CGI 漏洞扫描软件
# ============================================================================

use Socket;

$version = "Cgi Scanner v1.0";
%exploits = ( "VTI PVT [service.pwd]" => "/_vti_pvt/service.pwd",
              "VTI PVT [administrators.pwd]" => "/_vti_pvt/administrators.pwd",
              "VTI BIN [shtml.exe]" => "/_vti_bin/shtml.exe",
               "un1g1.1" => "/cgi-bin/unlg1.1",
                "gH.cgi" => "/cgi-bin/gH.cgi",
                "nph-test-cgi(Bugtraq ID 686)" => "/cgi-bin/nph-test-cgi",
                "nph-publish" => "/cgi-bin/nph-publish",
                "Handler(Bugtraq ID 380)" => "/cgi-bin/handler",
                "Webdist.cgi(Bugtraq ID 374)" => "/cgi-bin/webdist.cgi",
                "faxsurvey" => "/cgi-bin/faxsurvey",
                "wwwboard.cgi" => "/cgi-bin/wwwboard.cgi",
                "campas" => "/cgi-bin/campas",
                "AT-admin.cgi" => "/cgi-bin/AT-admin.cgi",
                "filemail.pl" => "/cgi-bin/filemail.pl",
                "info2www" => "/cgi-bin/info2www",
                "files.pl" => "/cgi-bin/files.pl",
                "Finger" => "/cgi-bin/finger",
                "classifieds.cgi" => "/cgi-bin/classifieds.cgi",
                "environ.cgi" => "/cgi-bin/environ.cgi",
                "Webbbs.cgi(Bugtraq ID 803)" => "/cgi-bin/webbbs.cgi",
                "whois_raw.cgi(Bugtraq ID 304)" => "/cgi-bin/whois_raw.cgi",
                "Anyboard.cgi" => "/cgi-bin/AnyBoard.cgi",
                "/scripts/issadmin/bdir.htr" => "/scripts/issadmin/bdir.htr",
                "Msadc" => "/msadc/Samples/SELECTOR/showcode.asp",            
                "/iisadmpwd/aexp2.htr" => "/iisadmpwd/aexp2.htr",
                "/iisadmpwd/anot3.htr" => "/iisadmpwd/anot3.htr",
                "5daydatacopier.cgi" => "/cgi-bin/day5datacopier.cgi",
                "passwd.txt" => "/cgi-bin/passwd.txt",
                "password" => "/cgi-bin/password",  
                "/etc/group" => "/etc/group",
                "/~root" => "/~root",
                "Upload.pl" => "/cgi-bin/upload.pl",
                "formmail.pl" => "/cgi-bin/formmail.pl",
                "sendform.cgi" => "/cgi-bin/sendform.cgi",
                "_AuthChangeUrl" => "/cgi-bin/_AuthChangeUrl",
                "No-such-file.pl" => "/scripts/no-such-file.pl",
                "/......" => "/....../",
                "To long!" => "/.html/............./config.sys",
                "/_vti_pvt/shtml.exe" => "/_vti_pvt/shtml.exe",
                "/_vti_inf.html" => "/_vti_inf.html",
                "cgi-shl/win-c-sample.exe" => "/cgi-shl/win-c-sample.exe",
                "default.asp" => "/default.asp",
                "Server%20logfile" => "/server%20logfile",
                "dcmcfg.nsf" => "/domcfg.nsf/?open",
                "Webhits.exe" => "/scripts/samples/search/webhits.exe",
                "fpexplore.exe" => "/cgi-bin/fpexplore.exe",
                "gueryhit.htm" => "/samples/search/queryhit.htm",
                "ss.cfg" => "/ss.cfg",
                "visadmin.exe" => "/cgi-bin/visadmin.exe?user=guest",
                "input.bat(Bugtraq ID 762)" => "/cgi-bin/input.bat?|dir..\..\windows",
                "indes.asl::$DATA" => "/index.asp::$DATA",
                "//../../config.sys" => "//../../config.sys",                
                "/../../config.sys" => "/../../config.sys",
                "main.asp%81" => "/main.asp%81",
                "/adsamples/config/site.csc" => "/adsamples/config/site.csc",
                "isn.dll" => "/scripts/iisadmin/ism.dll?http/dir",
                "Search.cgi(Bugtraq ID 921)" => "/cgi-bin/search.cgi",
                                "bb-hist.sh(Bugtraq ID 142)" => "/cgi-bin/bb-hist.sh",
                                "kcms_configure(Bugtraq ID 452)" => "/usr/openwin/bin/kcms_configure",
                                "Bugtraq ID 162" => "/cgi-bin/s97_cgi s97r_cgi tasmgr",
                                "ppdscgi.exe(Bugtraq ID 491)" => "/cgi-bin/ppdscgi.exe",                
                                "dfire.cgi(Bugtraq ID 564)" => "/cgi-bin/dfire.cgi",
                                "guestbook.pl(Bugtraq ID 776)" => "/cgi-bin/guestbook.pl",
                                "Anyform.cgi(Bugtraq ID 719)" => "/cgi-bin/AnyForm.cgi",
                                "w3-msql(Bugtraq ID 591, 898)" => "/cgi-bin/w3-msql",
                                "Bugtraq ID 770" => "/cgi-bin/tst.bat|type%20c:\file.txt",
                                "Bugtraq ID 770" => "/cgi-bin/alibaba.pl|dir",
                                "Bugtraq ID 770" => "/cgi-bin/tst.bat|type%20c:\file.txt",
                                "status.cgi(Bugtraq ID 914)" => "/cgi-bin/status.cgi",
                               "FormHandler 1.0, 2.0(Bugtraq ID 799, 798)" => "/cgi-bin/FormHandler.cgi",
                               "webwho.pl(Bugtraq ID 892)" => "/cgi-bin/webwho.pl",
                               "carbo.dll" => "/carbo.dll" );

&menu();

sub menu() {

print "\n\n";
print "                          $version\n\n";
print "         Based on source code of [ Infinity Scanner v1.3 ]\n\n";
print "                          1) Cgi Sonar\n";
print "                          2) About Cgi Sonar\n";
print "                          3) Exploit Info\n";
print "                          4) Help\n";
print "                          5) Exit\n";
print "Command: ";
chop($selection=);

if($selection == "1") { &cgiscanner() }
if($selection == "2") { &infomessage() }
if($selection == "3") { &exploitinfo() }
if($selection == "4") { &helpmessage() }
if($selection == "5") { &exitcgisonar() }

else { &menu() }
}

sub cgiscanner() {

if($usehostlist eq "yes") { &exploituselist(); }
else { &exploitnouselist(); }

}

sub exploituselist() {
       print "\nServerlist Filename: ";
       chop($hostlist=);
       open(INF,"$hostlist") or &dienice("Can‘t open $hostlist");
       @hostsarray = ;
       close(INF);
         print "\nEnable Logging?(Saved as gotcha.log) [yes or no]: ";
       chop($storelogs=);      
        foreach $host (@hostsarray) {
              chop($host)
              &cgiscannerloop("$host");
       }
       &menu();
}

sub exploitnouselist() {
       print "\nHost: ";
       chop($host=);
       print "\nEmable Logging?(Saved as gotcha.log) [yes or no]: ";
       chop($storelogs=);
       &cgiscannerloop("$host");
       &menu();
}

sub cgiscannerloop() {

$host = "@_";
$serverIP = inet_aton($host);
$serverAddr = sockaddr_in(80, $serverIP);
$number = 0;

print "\n\nChecking $host for known exploits:\n\n";

foreach $key (keys %exploits) {

socket(CLIENT, PF_INET, SOCK_STREAM, getprotobyname(‘tcp‘));
gethostbyname($host) or print "Ack! No Ip Address was entered\n";
if(!gethostbyname($host)) { print "Can‘t Resolve host!\n"; }
else {
if(connect(CLIENT, $serverAddr)) {
send(CLIENT,"GET $exploits{$key} HTTP/1.0\n\n",0);
       $check=;
       ($http,$code,$therest) = split(/ /,$check);
       if($code == 200) {
       print "Exploit Found: $key\nLocation: $exploits{$key}\n\n";
       $number++;
       if($storelogs eq "yes") {
              open(GOTCHA, ">>gotcha.log") or &dienice("Couldn‘t open
gotcha.log for writing.  Please make sure the file exists and is
writable.\n");         print GOTCHA "Exploit Found: $key\nServer:
$host\nLocation: $exploits{$key}\n\n";               close(GOTCHA);        }      

}
else { if($verbosemode eq "y") { print "$key Exploits Not Found\n"; } }
}
close (CLIENT);

}
}
if($number == 0) { print "No exploitable holes found on host $host\n"; }
}

sub infomessage() {
print"               Cgi Scanner v1.0 by Maxview\n\n";

chop($uselessvariable=);
}

sub exploitinfo() {
print"                        Exploit Info\n\n";
print" If you are having trouble finding info on the exploits found\n";
print" on a certain host you have scanned... I strongly suggest you \n";
print" look for info on the exploits found on a host at the following\n";
print" sites... http://www.securityfocus.com, www.rootshell.com, or\n";
print" http://packetstorm.securify.com... If you are confused about\n";
print" the Bugtraq ID‘s... Then simply go to http://www.securityfocus.com\n";
print" /level2/bottom.html?go=vulnerabilities and click on the Bugtraq ID\n";
print" tab and type in the ID number in the blank box... All the info\n";  
print" you will need will be in the newly loaded page...\n\n";
print "Press enter to continue...";
chop($uselessvariable=); }

sub helpmessage() {  
print"                          Help\n\n";  
print"                  Cgi Scanner command‘s\n\n";
print" 1) Cgi Scanner- Scans for known Cgi exploits on a remote host...\n";
print" 2) About Cgi Scanner- Informs you about Cgi Scanner...\n";
print" 3) Help- Informs you on certain aspects of Cgi Scanner...\n";
print" 4) Exit- It simply exits you out of the Cgi Scanner...\n\n";
print"                     Sub command‘s\n\n";                  
print" Host:- Allows you to type in the IP of the host you wish\n";
print" to scan (e.g. 127.0.0.1)...\n";
print" Enable Logging- Logs exploits found, Host IP, etc...\n";
print"            Thank you for using Cgi Scanner\n\n";
print "Press enter to continue...";
chop($uselessvariable=);
}

sub exitcgisonar() { exit 1; }

程序看上去很复杂，但实际上和C语言编写的漏洞扫描其原理是一样的，都是先通过Socket与服务器建立连接，然后发送Get请求查询指定的文件是否存在，如果存在则报告文件的位置。这个程序中定义了很多种不同的漏洞，作为学习者应该努力掌握这些漏洞的原理和利用方法。